Blazor Security - Razor Pages custom authentication/security

Christian Schmitt

I'm trying to build a Blazor application that is hosted on the server and the starting point is inside a razor page. Something like that:

<component type="typeof(Main)" render-mode="ServerPrerendered" param-Data="@simple"/>

My questions are:

  • What happens if the razor page has an Authorized Attribute, is all blazor code than correctly secured with the authentication ?
  • Is it impossible to call the blazor app without the razor page circuit id ?
  • What if my razor page does have a custom authentication based on database values inside the OnGetAsync method - do I need to redo some of that stuff inside blazor or does the stateful component only gets rendered when the razor page works ?

  • What happens if I have an arbitrary if/else block that would have a button call, would that button call be guarded by the state ?

Something along the lines:

@if (HasPermission)
{
   <button type="button" onclick="MutateDatabase">MutateDatabase</button>
}
timur

I assume you run Blazor Server (At the time of writing WASM is still in preview and will be quite different security-wise).

The documentataion states that Blazor does indeed integrate with ASP.NET Core identity:

Blazor Server apps include a built-in AuthenticationStateProvider service that obtains authentication state data from ASP.NET Core's HttpContext.User. This is how authentication state integrates with existing ASP.NET Core server-side authentication mechanisms.

Now, to your questions:

  1. Given your rendering mode, for Blazor to kick in, the Razor page has to render an initial state and mark the element where Blazor is to manage the view later on. The way AuthorizeAttribute works (I presume this is what you meant?) will block the page from rendering, so this should prevent Blazor from starting altogether - you will get redirected away to authenticate. Once your users are past that gate though - be aware that Blazor handles [Authorize] on child controls differently:

    Only use [Authorize] on @page components reached via the Blazor Router. Authorization is only performed as an aspect of routing and not for child components rendered within a page. To authorize the display of specific parts within a page, use AuthorizeView instead.

    (this doesn't seem to be your case, but I'd put it here just in case)

  2. I'm not entirely sure if I understand the statement here: circuit is the term MS uses to identify the slice of server where your application instance lives while it's displayed to a client. The connection is maintained via websockets and is generally scoped to a session (check out cookies and url parameters to your /_blazor endpoint). The user is however not guaranteed to have same circuit throughout application lifetime (due to connection issues or server load-balancer config) - and it is fine, you are expected to handle state persistance across circuits yourself.

  3. This case I believe will be the same as (1): you don't get Blazor to start until hosting Razor view is rendered.
  4. It's probably best to follow Blazor's security management page: you have a couple of options to ensure you're catering for authenticated users:

    1. Use <AuthorizeView> to control what gets rendered:

    <AuthorizeView>
    <Authorized>
        <button type="button" onclick="MutateDatabase">MutateDatabase</button>
    </Authorized>
    <NotAuthorized>
        <p>You're not signed in.</p>
    </NotAuthorized>
    </AuthorizeView>
    

    You can technically use an if (user.IsInRole()) statement, but that might not get updated when User AuthenticationState changes.

    If this is not sufficient, you can either pick up cascading AuthenticationState parameter or look at implementing your own AuthenticationStateProvider

この記事はインターネットから収集されたものであり、転載の際にはソースを示してください。

侵害の場合は、連絡してください[email protected]

編集
0

コメントを追加

0

関連記事

分類Dev

Why is mixing Razor Pages and VueJs a bad thing?

分類Dev

Thymelaf and Spring Security - custom SpEL expression

分類Dev

Spring security custom login redirection conflict

分類Dev

Wordpress custom menu displayng all pages

分類Dev

Display a custom taxonomy in Woocommerce single product pages

分類Dev

Razor Pages AJAX URLIDパラメーター

分類Dev

Cloudformation SimpleAD assign custom Security Group

分類Dev

Razor 페이지의 Blazor 구성 요소

分類Dev

RazorページのBlazorコンポーネント

分類Dev

ASP.NET Razor Pages - Conditional redirection

分類Dev

How to collapse solution explorer view of razor pages?

分類Dev

Blazor-Server-Appでcshtml(Razor Pages)を使用する方法

分類Dev

razor pages, how to passing json serialized string into model property

分類Dev

How are Blazor apps able to expose Razor Pages endpoints without a call to MapRazorPages() in Startup.cs?

分類Dev

.NET Core Unit Test Razor Pages RedirectToPage()

分類Dev

Blazor(Razor)検証へのクラスの追加

分類Dev

Blazorで、Pagesディレクトリ内のルーティング可能なすべてのRazorコンポーネント名を取得するにはどうすればよいですか?

分類Dev

Razor Pages(Blazor WebAssembly)のlaunchSettings.jsonファイルから属性にアクセスするにはどうすればよいですか?

分類Dev

Blazor / Razor:列挙型のInputSelect?

分類Dev

Blazor:Razorファイルで名前空間を定義する

分類Dev

Is there a way to see the RenderTreeBuilder version of the razor file in blazor?

分類Dev

NSIS optional custom pages

分類Dev

Custom Razor component a NuGet library behaves differently?

分類Dev

Printing PDF in ASP.net core 3.1 Razor Pages

分類Dev

Blazorアプリ/ RazorではIConfigurationは常にNULL.NETCOREです

分類Dev

Github pages with custom domain names

分類Dev

Spring Security provides anonymous acces to all pages instead only one

分類Dev

c#Razor Pages Select Tag Helper

分類Dev

Blazor / Razorでイベントデータを取得する方法

Related 関連記事

  1. 1

    Why is mixing Razor Pages and VueJs a bad thing?

  2. 2

    Thymelaf and Spring Security - custom SpEL expression

  3. 3

    Spring security custom login redirection conflict

  4. 4

    Wordpress custom menu displayng all pages

  5. 5

    Display a custom taxonomy in Woocommerce single product pages

  6. 6

    Razor Pages AJAX URLIDパラメーター

  7. 7

    Cloudformation SimpleAD assign custom Security Group

  8. 8

    Razor 페이지의 Blazor 구성 요소

  9. 9

    RazorページのBlazorコンポーネント

  10. 10

    ASP.NET Razor Pages - Conditional redirection

  11. 11

    How to collapse solution explorer view of razor pages?

  12. 12

    Blazor-Server-Appでcshtml(Razor Pages)を使用する方法

  13. 13

    razor pages, how to passing json serialized string into model property

  14. 14

    How are Blazor apps able to expose Razor Pages endpoints without a call to MapRazorPages() in Startup.cs?

  15. 15

    .NET Core Unit Test Razor Pages RedirectToPage()

  16. 16

    Blazor(Razor)検証へのクラスの追加

  17. 17

    Blazorで、Pagesディレクトリ内のルーティング可能なすべてのRazorコンポーネント名を取得するにはどうすればよいですか?

  18. 18

    Razor Pages(Blazor WebAssembly)のlaunchSettings.jsonファイルから属性にアクセスするにはどうすればよいですか?

  19. 19

    Blazor / Razor:列挙型のInputSelect?

  20. 20

    Blazor:Razorファイルで名前空間を定義する

  21. 21

    Is there a way to see the RenderTreeBuilder version of the razor file in blazor?

  22. 22

    NSIS optional custom pages

  23. 23

    Custom Razor component a NuGet library behaves differently?

  24. 24

    Printing PDF in ASP.net core 3.1 Razor Pages

  25. 25

    Blazorアプリ/ RazorではIConfigurationは常にNULL.NETCOREです

  26. 26

    Github pages with custom domain names

  27. 27

    Spring Security provides anonymous acces to all pages instead only one

  28. 28

    c#Razor Pages Select Tag Helper

  29. 29

    Blazor / Razorでイベントデータを取得する方法

ホットタグ

アーカイブ